We often get into situations where people thing that the “bad guys” are script kiddies that do this for fun. Every malware analyst will tell you that the innovation on the wrong side of the fence is astonishing…

Anyway, lets have a look at one of the latest examples of such innovation: Bankpatch.C.

Bankpatch is a fairly “old” trojan which first appeared beginning of 2007. However Bankpatch.C which was first released in September 2008 through to February 2009 has some major enhancements.

Generally Bankpatch.C is a banking trojan that is designed to compromise online banking transactions. It waits silently on the consumer or corporate computer up until it finds an internet request it is interested in (a targeted website it has policies for) and then comes to life. It then has the ability to steal your login details, but also to dynamically inject HTML into the existing login form to capture whatever information they require. Alarmingly HTML can be injected into a secured SSL website without the computer security or the website owner becoming aware that it has been compromised.

This is also one of the “real-time” trojans that have the potential to act in real-time to compromize One-Time-Passwords (OTP) as intercept the OTP before it is used to authenticate the account holder as they access the banking website.

Another avenue is to deploying targeted payloads depending on the webservices used. The most widely payload is a BHO (Browser Helper Object) called Infostealer.Nadebanker.

Symantec has written about Bankpatch here and it received a bit of press. Michael Hale Ligh has a very good technical writeup with standalone detection tools here.

From a technical point, the most interesting part of Bankpatch.C is the fact that it uses an interesting approach to “rootkit” the machine, i.e. to stay undetected. After the initial infection, Bankpatch.C will “patch” (change) three core windows files and will inject its own malicious code into these system files. Therefore Bankpatch.C is not even present on the system as an individual file/process/software.

So how does Bankpatch accomplish this?

First of all, Bankpatch will disable the Windows File Protection (WFP) that is designed by Microsoft to make sure that no-one changes core windows files. Good to know that WFP can easily be disabled!!!

After this is done, Bankpatch will modify the following three core windows files through Position Independent Code (PIC)

• kernel32.dll
• wininet.dll
• powrprof.dll

Through patching these files, Bankpatch.C has now full control over

• any file that is created, opened, written or closed (through patching kernel32.dll)
• any internet connection that is opened, any webtraffic that comes in or leaves the computer, may it be encrypted or not (through patching wininet.dll)
• with these functions, the trojan has pretty much full control over the machine!

Antivirus Detections seems to be very low and one problem that we constantly face is that once the system is infected, virtually no Antivirus Engine can detect that the system is compromized. There is no malicious software running on the system, no process, no nothing… However nobody seems to notice that core windows functions are not how they should be!!!

TrustDefender will detect BankPatch.C in two ways (defense-in-depth):

1. through our whitelisting approach, TrustDefender detects that the core system libraries are NOT the legitimate ones
   
2. through our forensics analysis, TrustDefender detects that from a forensics point-of-view, these three files are suspicious.
   

In Summary, BankPatch.C is a testimonial of some excellence from the bad guys and it further indicates what we all know: They are getting smarter and smarter.

The lesson to be learnt is that we (the good guys) need to be smarter and smarter as well and we need more innovative approaches like our kernel forensics engine.